PHP for Beginners by a Beginner: Simple Login, Logout, and Session Handling - Breaking It Down(Page 3 of 5 )

All right, I’m kidding. We’re going to take a closer look at the code and see what it’s doing. We’ll start with login.php.

<?PHP //check that the user is calling the page from the login form and not accessing it directly //and redirect back to the login form if necessary if (!isset($username) || !isset($password)) { header( "Location: http://www.yourdomain/login.htm" ); } //check that the form fields are not empty, and redirect back to the login page if they are elseif (empty($username) || empty($password)) { header( "Location: http://www.yourdomain.com/login.htm" ); }

This part of the code will check to make sure that the user is actually coming from login.htm, and not accessing the code directly. If they haven’t gotten here by using the login form, it will redirect them back to the page. If they have tried to login, the second part will verify that they didn’t submit any blank fields. If they have, it will send them back to try again.

The $_POST variable is a global PHP variable. The syntax is $_POST[‘input_variable’], where input_variable is the name of the input field on the form, in this case, username and password. This holds the data that was posted from the input fields on the form. The addslashes() function will add slashes to the username string, automatically escaping any quotes in the string. The md5 function, again, will convert the string that the user has entered for the password field into a 32 character string. We convert the input from the form fields to simple variables to make the information easier to work with.

Once we have handled the input from the form, we must now connect to the database using the mysql_connect() function, then select the individual database we will be working with by using the mysql_select_db() function.

$result=mysql_query("select * from users where username='$user' AND password='$pass'", $db);

//we will redirect the user to another page where we will make sure they're logged in header( "Location: checkLogin.php" );

}

} else {

//if nothing is returned by the query, unsuccessful login code goes here...

echo 'Incorrect login name or password. Please try again.'; } } ?>

Now that we’re connected to the database, let’s verify the user. We start by querying the database table users to make sure the username and password information submitted by the user exists. If the information is found and a row returned, from here we will login the user and set the session variable needed for protecting the rest of our area.

To begin, we use session_start(). This is used to start the user’s session based on the current session id being passed by the POST method from login.htm. Once we have the session started, we register a variable that will be passed along as long as the current user’s session is active. In this case we’re using the variable $user, which we assigned the data from $_POST[‘username’]. After we have the session variable registered, we will then redirect the user to our next page, which can only be accessed by a user who is logged in.

The end of the code is in case the user’s name and password cannot be found in the database. In which case they can be redirected to another page, an error message can be displayed, or they can be redirected back to the login page.